EP #52 From Regulations to Risks: The Evolving Landscape of Email Privacy

EP #52 From Regulations to Risks: The Evolving Landscape of Email Privacy

About this Podcast

In today’s episode of the ‘For The Love Of Emails’ podcast, we welcome Chris Arrendale, founder and CEO of CyberData Pros, with host Matthew Vernhout – VP, Deliverability, Netcore. Chris has previously worked as Chief Privacy and Security Officer for multiple organizations. He also holds a number of professional certifications, including Certified Information Privacy Professional, Cloud certifications, and much more. He is an expert in taking complex, technical items and breaking them down in a way that anyone can understand.

In this podcast, they discussed:
What is the current and future state of global email privacy legislation?
How have data breaches and cyber attacks influenced privacy legislation?
How have GDPR and CCPA impacted the way companies handle their email communications?
Which emerging technologies can enhance email privacy and security for companies?
How can AI help brands with email privacy and security?
Advice for new businesses on hygiene privacy activities to safeguard their operations.
Episode Transcripts

Intro (00:06):

You are listening to the ‘For The Love of Emails’ Podcast powered by Netcore, a weekly show dedicated to helping email marketers, marketing enthusiasts, and professionals of all walks engage, grow, and retain customers through reliable, smart, and effective email communication and engagement. Discover actionable ways to increase ROI and deliver value through email innovations, personalization, optimization, email deliverability, and email campaigns. No fluff. Tune in to hear best practices and tactical solutions from the best thought leaders and practitioners; master your email communication now.


Matthew Vernhout (00:39):

Welcome to another episode of the ‘For the Love of Emails’ Podcast. I’ll be your host again today. My name’s Matthew Vernhout, Vice President of Deliverability for Netcore. Before we begin, I have some exciting news to share. We’re all set to launch an exciting email report on all things AMP very soon. It’s probably already out if you’re listening to the show now. We’ll put some links in the show notes so that you can read it and get access to it. What’s in this report, though, will unlock the Secrets of Email campaign success and describe how some of our customers have reached a staggering 1000% boost in return on investment for email by implementing AMP. The report is set to reveal the full potential of interactive AMP emails like you’ve never seen before with data analysis of 1 billion emails sent by Netcore customers, insights from 25 industry group experts, and over a hundred innovative use cases.


Matthew Vernhout (01:41):

You’ll discover unique strategies and tips to level up your email campaigns. Say goodbye to drop-off and friction, and say hello to streamlined interactions that keep your customers engaged. Follow our LinkedIn page to get access to the report; and we will also be sharing more and more information on AMP in the future.

So let’s dive into today’s podcast. I am super excited about our guest here today. It is my pleasure to introduce my good friend Chris Arrendale, who’s come to us today from CyberData Pros. Chris Arrendale is the founder and CEO of the organization. What they do is bring a wealth of knowledge and expertise in the field of privacy, data security, and compliance to your company. So if you need help in those areas, and everybody does, Chris will be a great person to talk to. They’re an affiliative thinking group, experts in their field. And Chris has a proven track record of success, having previously launched successful companies in the business.

Chris, welcome to the podcast. I’m super excited to have you. I’m surprised I haven’t invited you earlier to talk to me. Let’s talk data privacy and geek out over email because I know you still keep your nose in the email group too. Once you’re in email, I don’t think you ever leave.


Chris Arrendale (03:07):

No, you can’t escape. Right? It’s like Hotel California. So excited to be here too with you, Matt. It’s always great to talk to you, and we’ve been friends for many years and have been doing this for a long time. I’m excited to be on this podcast with you.


Matthew Vernhout (03:21):

Awesome. So Chris, you know, privacy is an ever-expanding, ever-changing environment. Recently, I saw Texas signed a law for privacy legislation – making them the 10th state to now have a statewide privacy law. We’re going to have this massive patchwork of privacy legislation in the United States, and that’s where companies like yours are in a unique position to help brands. So, how do you see privacy evolving over the next two, five, and ten years when it comes to digital marketing in North America? We’ll start, but, you know, if you have opinions on the world, happy to hear those as well.


Chris Arrendale (04:05):

Yeah, it’s a great question too. I like to start with California, of course, being the first state in the US to enact some sort of private legislation for their consumers, for residents of California specifically, because of data breaches. California is the fifth largest economy in the world itself. So California by itself makes up a large amount of that revenue and data breaches. And people are tired of their data being sold or shared without their permission. What happens to all of us every day here in the US is that, say, if we sign up for a credit card now, there are 10 companies that have our personal data. They’re going to market that information to third-party advertisers and affiliates.


Chris Arrendale (04:52):

And we all love those affiliate marketers, don’t we, Matt? So you know, people are just tired of it here in the US, and the US has been known specifically for sectoral laws. So, CCPA, FCRA, FERPA, HIPAA, right? We’ve got laws surrounding everything, all the different sectors. But there’s not one national data privacy law in the United States. Now, there is one that has been sitting on the floor, called ADPPA, for about nine months now. And I don’t see that moving anywhere soon specifically because a lot of things are happening, you know, in the US surrounding some laws related to, of course, the debt ceiling that will happen here pretty soon. I’m sure everybody around the world’s hearing about that.


Chris Arrendale (05:45):

But no, I think that, again, Tennessee’s passing one too as well. You’ve got Texas, you’ve got Utah, you’ve got all these other states that are saying: You know what? we’re tired of our residents and the data being shared, sold, or given to third parties. We want to provide some of those protections. And some of those protections are centered around data access, right to deletion, right to modification, right? similar to the GDPR rules. Of course, CASL rules too. But one thing we have yet to see, and I know this will stick out to all the listeners here, is no explicit opt-in, right? for email marketing. The explicit opt-in piece is left-out. CAN-SPAM is still the law of the land in the United States. Nobody has made an effort to say: Hey, because of CPRA and VCDPA; because of this, we’re going to enact an explicit opt-in for email marketing, that has not happened. And it’s something that I get questioned about all the time.


Matthew Vernhout (06:39):

I actually wonder, based on the language within CAN-SPAM, if they could even enact something like that. Mainly because CAN-SPAM came out and said, we overrule anything that deals with this.


Chris Arrendale (06:51):



Matthew Vernhout (06:52):

It squashed all the other state laws that – I’m thinking back in time to the early two thousands when CAN-SPAM came out; it was 2003. We saw California leading the way, and basically, the federal government stepped in and said: Hold on. We need a federal law; let’s manage it that way. Right? And I’m still surprised that here we are 20 years later, and we haven’t seen a privacy law in the same manner. Because the same logic applies to data privacy that we talked about in the early two thousands when it came to email.


Chris Arrendale (07:30):



Matthew Vernhout (07:31):

And I know you mentioned data breaches being a huge reason. Data resale and all these different data vendors and, you know, cold email is always a hot button, very much hot button, cold email. So, as we continue to see these laws, a lot of these laws exclude things like business data as well. So your personal email is protected, but your business account is not. Do you see any changes in that in the future? Or is that going to be the law of the land going forward?


Chris Arrendale (08:11):

Yeah, especially in the United States, it’s going to be very difficult because the US, the government, the economy, they’re very pro-business, right? They’re like: Hey, every business needs to thrive and make as much money as possible… and capitalism, and, you know, all that stuff, right? So there, the federal government is very focused on that. And honestly, when it comes to business data, they’re like: Hey, that can be shared or sold because it’s going to provide services to those businesses they may not know exist or that are out there. And so everybody wins. But that’s not the case. That’s not how it works, right? You mentioned personal data. There are arguments right now that: Hey, listen, me as a small business, maybe I’m using my personal email address for small business, but you’re classifying it separately, right?


Chris Arrendale (08:58):

So what gives, what’s the separation, and is it just gmail.com versus a Google Workspace account? Is it how I’m using it within the line of business versus personal? There are so many areas of vagueness that exist right now that a lot of people are confused. And so we do help clients related to, of course, their databases and, you know, of course, opt-in consent. We help them understand data mapping and data flow. We help them understand, do they have the right technology and stack in place for what happens if you get a do not sell request. What happens if you get a right to modification, right? And how does everything flow? How are you tracking that from cookies to email consent? And so we work with a lot of different software applications and implement those for companies to help them understand that.


Matthew Vernhout (09:44):

I always love talking about this kind of stuff. Although, for me, it’s a bit weird being Canadian, right? Our privacy legislation, our federal privacy legislation, has sort of built the 10 tenets of privacy right into the legislation. Now, I get it, it’s a little outdated. It needs an update. I would say.


Chris Arrendale (10:02):

Not as bad as ours.


Matthew Vernhout (10:03):

It needs it. It’s old. It’s like 15 years old. It needs an update. The times have evolved since the law was written. But it’s interesting to see having to legislate the right to access, right to update, and right to deletion. Having just had it, you know, the great GDPR came out with it, and then we saw Brazil come out with a version of GDPR, Australia has it, and the UK has a law. So it seems weird that it’s something that we’re still legislating, but it should just fundamentally be something people can have businesses update or revoke, or it’s all of the above.


Chris Arrendale (10:45):

It’s interesting, but also, I think of people in the United States who are very customer/client experience focused. Think of the Uber app, right? So if you open Uber, you’ve got your credit card saved, your home address saved, your business address saved, your favorite saved, you’ve got a picture of yourself, and all your personal information is in there. What happens if I say I don’t want to give you all my information? I don’t wanna turn that over. What’s the customer experience like when you open that app? I gotta retype my home address and the credit card number. I think a lot of Americans are okay with giving up a lot more information, a lot more of that PII, to get a better customer experience because they may not know what the company on the other end is doing with that data. Right? Take Uber, take Facebook, and Lyft, all those companies, right? They just have had numerous breaches and numerous issues with sharing and selling data, and I think a lot of people are just getting tired of it. But honestly, Matt, a lot of people in the US, I think, are just so… they’re, they’re incoherent when it relates to what’s actually happening once they give that information over.


Matthew Vernhout (11:54):

I don’t think that’s just a US-specific thing. I would say it would maybe be more North American-wide there. People tend to value privacy but, at the same time, are happy to give all that information away. To be fair, the idea is that companies will protect that information in a way that it is not accessible to third parties, but we’ve both been around long enough to know that all the good intentions in the world won’t stop a data breach.


Chris Arrendale (12:24):

No. But I also think too that, you know, I work with a lot of companies that, you know, we will take a look at their privacy notices, their privacy statements, and we’ll actually backtrack that into making sure that they’re doing what they’re saying that they’re doing, right? Hey, our data retention policy is seven years, you know, our data’s stored at this level of encryption, all of that together. And we back that out. And, then oftentimes we say, listen, you’ve held this data for 20 years, or this data is currently sitting here in this database, but a copy of it is sitting on this person’s laptop, another one sitting in an S3 bucket that’s not encrypted, right? All those things that people just often don’t understand. And as we all know, marketers are busy with a lot of other things on their plate, they don’t have time to think about these things. So it’s having those partnerships with IT, with legal, with compliance to understand what’s going on.


Matthew Vernhout (13:17):

That’s an interesting comment. ‘Cause I think there’s also the friction between process and access, if you will, from you know, I need it to be accessible so that I can do my job as a marketer, and IT gets in the way because it’s heavily encrypted. So I’ll just put this over here in an S3 bucket where I can do whatever I want with it. IT may not even know it’s there or compliance may not know it’s there, or the business may not know it’s there, and then it just sits and gets forgotten or gets stale or isn’t following the proper practices. You know, over the years, we’ve seen the same thing with email. Somebody goes and creates an account and just spins out an email and then sends it from their own personal business email account, not following corporate rules. And we’ve seen it actually impact the reputation of brands because of the actions of one or two people doing bad things.


Chris Arrendale (14:13):

Random acts of marketing, right?


Matthew Vernhout (14:15):

That’s a great way to say it. All those things get way more complicated when you start layering all these privacy legislations. So how do you deal with training staff? Take that seasoned sales guy that’s tired of dealing with IT, and he just goes and does this because he’s done it for the last five years, or his last three companies, or whatever their process was elsewhere that worked for them. How do you deal with the training and the behavior changes for those people?


Chris Arrendale (14:48):

Great question. I’ll tell you a little story that happened a couple of years ago. We were working with a large Fortune 500 company, and they let us know that they had three platforms within their network that were able to send out emails, right? We turned DMARC on, of course, just to get reports, and there are 28 systems that were being used within their network, right? Within their domain.


Matthew Vernhout (15:11):

Everybody has one. And actually, I’ve used this exact quote from you in a presentation. You’ve told me this story once before. I used this exact quote in a presentation. So I’ve heard this story before. It’s a good one.


Chris Arrendale (15:24):

And it’s fantastic because it’s like, well, the reasons were: Hey, I don’t have time to go talk to this person, or marketing doesn’t want me to send out emails, or my boss told me to do this. And, you know, it’s crazy because nobody understands that it’s hurting email deliverability, reputation, compliance, and all these things that are broken. And so it’s tough to figure out who’s doing what. So an easy way, turn DMARC on, get those reports, go to procurement, and say, who’s authorizing the payment to MailChimp, Adobe, Marketo, and Eloqua? Who’s authorizing all this? Get those people in the room and figure out what’s going on. But you’re right; those rogue salespeople.


Chris Arrendale (16:16):

I had a call this morning with an individual. She wants help with trying to figure out how to create those subdomains across platforms like HubSpot and Salesloft and things like that. That way, reputation is not impacted across all of the different top-level corporate domains. But it’s not just that, Matt, you and I both know; it’s also where sales get their lists from. How are they acquiring this data? How old is it? Right? How often are they sending, right? There are a lot of platforms out there. You can integrate with Office 365, the Google Workspace and send out as many emails as you want. Now, there are triggers and filters within those platforms that say: Send an email; You can’t send more than 200 emails a day; Send an email every 30 seconds;… all of those guardrails. But at the end of the day, you and I both know that it’s the person at the other end of that keyboard, making those decisions to say: Here’s a list I just scraped; I’m going to send them as many emails as I want to try and get one sale out of it. But, by the way, I don’t know if they’re in Europe, if they’re in Canada, if they’re in Brazil, if they’re in the United States, I need sales. Who cares if we get sued, right?


Matthew Vernhout (17:16):

I’ve had those conversations with clients too, where it’s like, your mail might be CAN-SPAM compliant, but I see here you’re mailing to a large list of people in Canada. They’re like: No, we’re not. And I’m like: Well, just the fact that there’s 20 .CAs on your list; and 20 different CAs tells me otherwise. So, absolutely, I think that’s a piece that a lot of people miss too, understanding where your data is, but understanding what your data is as well as that important piece. Because you may not know that GDPR applies. You may not know that the Australian Privacy Act applies. You may not know that Brazil Privacy Act applies. Because you’re not looking at your data to understand the makeup of where people are and the domain distribution. Those types of things, they really are those key pieces that maybe you didn’t get when you went to the website and asked: Where is this [email protected]? I didn’t realize they were in Canada. I didn’t realize they were in the UK. I didn’t realize where they happened to be. And that’s an important piece.


Chris Arrendale (18:18):

It’s a very important piece. And it’s also about what other areas of information you’re collecting on these individuals, right? So we talked about acquisition tactics and form fills. Are you over-collecting data? Because oftentimes I work with clients, I look at their database, and it has things like SPI. I’ve seen databases that have health-related information in a database that is not protected. It doesn’t have any HIPAA protection. Just in the United States I’ve worked with clients that have collected data on children under the age of 13, and we’re talking about things like religion, culture, race, and all this information. And it’s like, what are you doing with that data? Right?  You have all this data; that’s great. What are you doing with it? If you don’t need it, don’t collect it and don’t use it. That’s another thing that a lot of people don’t understand.


Matthew Vernhout (19:07):

Yeah, I use that example a lot too. Like, you wanna send birthday emails? That’s awesome. Send birthday emails, collect birthdays. But, are you gonna just send like: Hey, it’s your birthday this month. Maybe you just need to collect the month; then it’s your birthday this week or this day. Great. But do you actually need to know how old the person is, right? Not every business needs the year, and every piece of information that you have becomes something you can leak, which potentially becomes problematic for the recipient, the personnel and the end user. And I think we as a collective need to consider the end user sometimes more for what you’re collecting and why you’re collecting that info. And I love that analogy of if you don’t need it, don’t ask for it.


Chris Arrendale (19:52):

I mean, I also think it’s right – I did a talk a few weeks ago on privacy versus personalization. And personalization, I think, you know, again, specifically for B2B emails, personalization is still great, right? You know, including information, first name, maybe some details about a recent purchase or something, but don’t get creepy, right? I use that in my presentations. Like, don’t get creepy. We talked about the over-collection. Don’t get to a point where it’s like: Listen, you have leaked my entire information into one email that you’ve sent me about myself, right? Where’s the benefit here? So, privacy still reigns supreme, but again, personalization is still key for B2B emails.


Matthew Vernhout (20:33):

Yeah, I did an entire podcast a few years ago called Don’t Be Creepy. It was all about over-collection and how data is being used. And I think, as old as the example is, I still think, the prime example for Don’t Be Creepy is like the couponing at Target; or for women who hadn’t maybe announced that they were pregnant yet, but because their purchase patterns had changed, they were able to then identify these things because you’re buying different products, and your behavior on what you’re purchasing has changed. I think that is an example of where you go from useful to creepy quickly. You know, not to vilify them, at the time it probably was a great idea. And honestly, if you’d hid it a little better, and made it a little less obvious, then maybe it wouldn’t have been as creepy. But you can easily go from great personalization to super creepy personalization very quickly.


Matthew Vernhout (21:39):

You know, I recently saw that you were talking about, I guess it’s maybe another company, a sister brand that you have, Inbox Rev. Tell me a bit about what you do with Inbox Rev and how Inbox Rev helps you. I can see how the two companies would actually work well together. Tell me a bit about that and what you do with Inbox Rev.


Chris Arrendale (21:58):

That’s a great question. So, it kind of started as a little side project, something fun that I wanted to kind of work with. Essentially using our building data models, AI data models, using TensorFlow, to essentially collect in or suck in a lot of information, campaign metrics, reputation details and sending patterns for certain clients. So I started with a B2B marketer using Marketo, pulled in a bunch of campaign metrics, pulled in bounced details and subject lines, and got links in the emails to figure out things like what was their optimal number of subjects or number of words in the subject line that yielded the highest open. And when was the best time to send based on the metrics that they had collected. So essentially, I’ve got a few engineers, it’s definitely more of a true startup where we’re trying to figure out what makes sense and what works.


Chris Arrendale (22:52):

So, again, we’re still in beta, I would say. Just trying to figure out if there is a spot for AI and deliverability together to say all of these metrics, everything together without me having to, like, spend hours to go through your bounce logs, to look at your optimal open rate, things like that, pull all this into a data set and say, what’s gonna be the most optimal time to send a piece of content, subject line, everything. So that way, I get the most, most bang for my buck. So it’s been pretty exciting. As I said, we’ve got one client that we’re working with that’s allowed us pretty much access to anything, which has been great, and we’re getting some metrics, and it’s like we’re testing these things, we’re getting some results, but it’s one, right? It’s not a hundred. And so it’s still very young, very early. It’s fun. It’s like a side project. But, you know me, I’ve got four or five companies right now, so it’s never a dull moment.


Matthew Vernhout (23:52):

But we don’t have time to get into all of them. We’re gonna talk only about privacy and email here today.


Chris Arrendale (23:58):

Another show.


Matthew Vernhout (24:00):

So taking that sort of model, like you’re, we were on five minutes ago, we were just talking, you know, on the one hand about watch how much access you give, and watch how much access and data you collect. And on the other hand, you’re like, give me everything; I need to see all the clicks and all the openings and everything. How do you take those two dichotomies and balance them out when you’re working with your customers? Because, like, yeah, give me everything all the time is certainly the mantra that I hear from people, but balancing that when I have my privacy hat on, makes me cringe at the same time. So how do you balance those when you’re working with these customers?


Chris Arrendale (24:36):

That’s a great point. I think for the Inbox Rev side these are metrics that, again, we’re not collecting any PII, right? So there’s no email address. Any personalization is stripped out. We’re not collecting any of that stuff. It’s truly just a kind of overall analytics that is not related to an individual. And I think that’s sort of like the separation, right? So, I’ve been offered that information how it is. It’s like, well, tell me, maybe this email address, what is specific for this one? Nope, I’m not doing that. That goes beyond ethics, beyond where I want to go. Because again, I wanna look at what’s optimal for the business, for the brand, not for one individual who may open or click or buy, right?


Chris Arrendale (25:19):

So I think that’s the big difference. Because especially on the privacy side, it’s about, you know, there is a piece of like: Hey, we’re doing an audit, maybe a privacy impact assessment; maybe we’re doing something related to data flow or data mapping, but we’re looking at how data flows, not the PII itself. And Matt, I’m sure you’ve had this experience many times, like myself, where a client will email you a spreadsheet of email address, first name, last name, all the details, and it’s, I’m sure, from back in the day I was like: Hey, can you scrub this? Hey, can you tell me what’s wrong with this? Right, we’re laughing because we know we’ve been through that hundreds of times, and it’s like: Don’t email PII, do not send this to me.


Matthew Vernhout (26:01):

There are far too many systems it runs through to be safe about that. So speaking of systems and technologies and things, where are you seeing innovation come in the privacy technology field right now?


Chris Arrendale (26:15):

You know we are partners with OneTrust, and they are, they’re right down the street from where I’m sitting right now. So OneTrust has done a really decent job of, I would say, with all of their modules and like where they’re expanding and how, what their offering looks like, specifically on the integration side; I see a lot of innovation there. I’m seeing innovation from smaller companies. So we work with a company called BreachRX. BreachRX is really a nice niche company where if you’re experiencing a data breach or if you’re having maybe like, you know, instant response rollout, you can use this tool and choose like: Hey, I’m in California, 150,000 breached, all this, and it spits out everything you need to do, right? And so tabletop exercises, instant responses.


Chris Arrendale (27:08):

This is a very crowded space now, Matt. You know, back in the day, when you and I were coming up, the ESP space, right? it started getting very crowded with marketing automation. And so, then privacy technology really started getting hot, specifically around 2016 with GDPR, right? It’s expanded more and more. And now the space is really crowded. There are hundreds and thousands of names in this space where it’s like: Hey, I can do all this, or I can take this piece or any of these 20 pieces of software. What’s really cool is things like just the basic consent management platform, where you integrate – like a OneTrust or something – with your website. It categorizes all the cookies, and it does all the consent flow and consent mapping. It’s really nice technology, but then you’ve got the GRC side of the house, right? So governance, risk, compliance, everything such as maybe ISO SOC, the audits that you’re doing, internal security audits, risk assessments. It’s a hot area, I would say, the technology side, and something that’s gonna continue to grow. And everybody now, of course, is talking about AI on the privacy technology side, too, right?


Matthew Vernhout (28:16):

So that was my next question. What are you seeing in the world of AI when it comes to privacy innovation and privacy technology? Even in itself, AI can be wrong, maybe!


Chris Arrendale (28:30):

Hundred percent.


Matthew Vernhout (28:31):

It’s hard to update the models and the learning that AI currently has. Or, every time you ask it a question, it’s learning, right? How do you unlearn something? So from the point of AI and privacy, you know, at some point, AI’s gonna suck up some personal information, right? Like If you ask it now, what it knows as I asked it, I asked Chat GPT a week ago what it knew about me, and it basically spits out my bio from 2021. And it’s basically like, I know this about Matthew Vernhout.


Chris Arrendale (29:09):

Two years old? 2021.


Matthew Vernhout (29:11):

Well, that’s when they stopped training the model, right?


Chris Arrendale (29:14):

Yeah. But you’re right, though.


Matthew Vernhout (29:15):

Right? But it goes out. It says: This is what I know about them from a professional point of view, if you will. I didn’t ask it for, like, the personal; tell me all the personal stuff.


Chris Arrendale (29:25):

I was gonna say, like, what concerts you’ve been to recently or anything like that.


Matthew Vernhout (29:30):

That’s right. It hasn’t; it’s not quite that personal. And it would be old concerts. They’d be two years old now.


Chris Arrendale (29:32):

Exactly. And I’m seeing a lot right on the AI side. I would say that, and you’re right, it’s not a hundred percent complete. Microsoft announced today that Bing is gonna be basically the search engine within Chat GPT open AI as it relates to that. I’m seeing a lot of things such as like: Hey, based upon your recent 10 Google searches or your recent 10 websites, I’m gonna take you here, when you type in, when you Google search, this particular site at the top, as opposed to maybe another one that would’ve been at the top if you hadn’t searched that, right? So, I equate what’s happening right now, Matt, to a lot of the spam filters, right? Because spam filters learn all the time, right?


Chris Arrendale (30:20):

So, if there’s a spam run coming in that includes these 12 words, your brand sending to, you know, something that has 10 of those 12 words, you may have some problems or challenges, right? Always learning, always evolving. There’s another issue too that I’ve been reading about basically, as we all know, third-party cookies are going away, right? But they have not yet gone away. So what’s happening is a lot of these, you know, a lot of these AI engines are starting to read cookies and then make decisions for you. That’s really interesting from AI. Can you imagine – if you had shopped online, you checked out, you bought something else; the next time you went to your favorite store two things were already in your cart based upon your previous preference that AI has basically assumed that you want these things. So it’s not really a: you may like this, Matt; it’s more of a: I’ve added this into your cart for you, Matt, so now you need to purchase these. Where does it end? Right? You start to think about that, and it’s very, it is scary. I mean, it’s great that technology is here to do things like some of the automation that we need and, of course, to evolve society. But at the same time, there are some scary pieces to AI.


Matthew Vernhout (31:32):

Yeah, absolutely. And I think people are currently rushing headlong into it, like all things, without always thinking about the repercussions or the privacy impacts of some of these decisions or tools that are currently being built and managed. So, thinking about that as a person who consults on businesses, whether they’re established businesses or new businesses, just startups, what is your advice to new businesses or young businesses even when it comes to thinking about privacy for their business?


Chris Arrendale (32:15):

Great question. Depending upon what kind of business, I always like to deliver the principles of privacy by design, privacy by default, right? As we know, if you’re building a software application, privacy is built into every aspect of it, whether it be design, requirements, planning, QA, that entire phase, right? So understanding not only the fact of doing things like vulnerability scanning and penetration testing on those applications but coding with the practice of privacy. So that’s, of course, number one. I would also say that for those marketers out there, as you start to build your microsites, your web forms, you use HubSpot or some other platform. Again, think about when you’re, when you’re getting those opt-ins, how are you getting those opt-ins, right? And, of course, what data you’re actually collecting.


Chris Arrendale (33:02):

I mentioned, of course, the over-collection principle. Also, when you’re building your business plan and your business model, are you gonna be sharing or selling any data? And if so, that should be your big red flag of what safeguards you have in place, right? I also always recommend the least privilege principle, right? So again, do not give everybody in your office admin rights to everything. I see that all the time. And it’s painful cuz I’ve seen it in Fortune 500 companies. I’ve seen it in, in startups. You see it all over the place. So nobody’s really immune to that. For a lot of the security audits that we do, we reference the quarterly user audits. Some people do it monthly; some people do it quarterly. Some people, unfortunately, do it annually, right?


Chris Arrendale (33:45):

But it’s looking to see: Hey, John left two months ago. Why does he still have access to Salesforce right? Now, of course, you know, the next step to that is turning on multi-factor, you know, two-factor authentication. So that way, if they have left, of course, if they’re, if it was tied to their email, they may not have access to that account. But nevertheless, making sure that not everybody has admin rights, you’re checking to make sure that those people are gone. Principally least privileged, again. That way, again, you control or can control what information is being seen, shown, or given to other people. I also highly recommend ongoing training. Things like don’t store PII on your desktop, right? Don’t have a spreadsheet of individuals that, you know, if your laptop gets stolen, there’s gonna be a data breach.


Chris Arrendale (34:31):

We have talked about email phishing. Talking about social engineering. There are a lot of pieces or aspects to the cybersecurity side that we do that kind of evolve with the privacy side. ‘Cause, of course, they both kind of involve that data – PI data breach aspect. But there are, again, a lot of practices that we try to put into place with these businesses to make sure they understand what’s important, what they need to focus on, so that way they can go to do their job, right? Our motto essentially is: Hey, we’re gonna come in and review your privacy, data protection, and cybersecurity, but not get in the way of you running your business.


Matthew Vernhout (35:05):

Yeah. I think that is super important. I’m making a note right now. I’m off to go do an access audit.


Chris Arrendale (35:12):

Check on that WordPress site, right?


Matthew Vernhout (35:14):

Well, I’m the only user, but yeah, I better double-check that I gave myself the right access, haha. No, that’s not true. I do have some shared sites that would probably warrant a quick review, yeah, the three people that have access, it’s more of a quick review. But I do think there are, you know, a lot of things there that get missed by small businesses because everyone’s wearing multiple hats. It’s just like you said; it’s easier to make everyone an admin versus having proper access control, which is always important to limit those things. And, you’re right, it goes all the way up through all the businesses. And you mentioned phishing. I think phishing is a big one. I’m a big advocate of implementing DMARC, especially being heavily involved in BIMI right now. When you’re working with your brands and your clients, are you looking at those types of things as well? DMARC and working with them to implement and, where do you see the benefit or where do they see the benefit with those technologies?


Chris Arrendale (36:21):

Yeah, a hundred percent. So yeah, definitely on the DMARC side, BIMI is interesting. Because oftentimes marketers like the logo, right? we need to go through all these steps to make sure you do have protection. Your brand is protected, the domain’s protected, at the very end, you get your certificate, and then you get, of course, the logo. I think the benefit there, though, is two-fold. One is to protect the brand. Let’s make sure that, you know, its reputation remains high. And you and I both know, oftentimes from a deliverability perspective, well, DMARC doesn’t improve deliverability, but DMARC is there, of course, to protect the domain from having any reputational issues due to other people that may be using that domain to send an email. So it’s explaining that sometimes to help get that forward.


Chris Arrendale (37:09):

But it’s also the fact that, do you know you have third-party partners that are using that domain to send email? Do you know that Scott down in sales is using that domain to send emails, right? So it’s having that conversation, P equals none, get all the reports, start to make those changes and adjustments, move them to quarantine from a percentage aspect. Ultimately, reject is where you wanna be. You and I both know that, but I think it’s important that it’s looking at the data, and oftentimes, I see DMARC records, there’s no RUA and RUF email, and it’s like: Okay, you’ve got DMARC turned on, but you’re not looking at any of the data, you’re not looking at the metrics, right? And that’s the painful part, well, I just don’t have time. Well, if you don’t have time, then why’d you turn it on? Just to check a box, right?


Matthew Vernhout (37:58):

Right. Yeah, absolutely. And I think you’re a hundred percent right to say, like, DMARC isn’t the thing that gets better delivery, better metrics, better performance. It’s the process of going from not knowing where everything is to learning about it, to securing it, to properly authenticating it, to getting it all under control, moving into quarantine, etc. Then eventually, should you choose to go to reject, going to reject, you know, I, with the brand a number of years ago where we went through a similar process, and they saw improvements in delivery speed, improvements in the amount of messages they could send, improvement in client performance, a reduction in spam folder placement. The process of cleaning up is what fixed their delivery issues. And they ran into exactly what you’re talking about. They had a vendor that was using the domain without their knowledge.


Matthew Vernhout (38:53):

They had some staff that were doing some things without IT’s knowledge. They had a competitor spoofing their domain, driving their reputation down, right? So you know, being able to tie up all those loose ends in the end actually gave them better performance and better everything that they wanted in the first place. So it was a valuable exercise for them. And I think sometimes you’re right. It’s the journey that gets you where you need to go. You’re not gonna see performance impact day one, but day 60, day 90, you know, day 180, depending on how long your process and your journey is, you should see those changes.


Chris Arrendale (39:33):

It’s peace of mind, too, right? Knowing that you’ve protected and locked down that domain so that way nobody else can use it but yourself. Right?


Matthew Vernhout (39:40):

Yeah, it reminds me of another story. There is a very large social media platform that both of us use. When they implemented DMARC, due to the fact that they were being Phished like crazy, their initial thought was 300 mail servers authorized to send mail, and they found 3000 mail servers on their own network. Not even things that were out of network, on their own network, sending mail on behalf of the organization. It was because of a developer – 10% of the time it’s easier to just spin up my own mail server and do the thing. But at the same time, you know, goes through that whole exercise of how bad are we burning our reputation by not knowing.


Matthew Vernhout (40:23):

A project for them.


Chris Arrendale (40:24):

Yeah. It’s the same thing, right? It’s like if somebody leaves the organization and knows that account that email is tied to, certain accounts that your business relies on, you and I both know about major brands whose website’s gone down. DNS goes down because nobody paid the bill with the credit card because that individual had left the business and now they’re scrambling to try to get that backup. So it’s right. You’re right. It’s that institutional knowledge, documentation and then that peace of mind that goes along with it.


Matthew Vernhout (40:54):

All right. Well, Chris, thank you very much for being on our show today. I always love talking with you, my friend. It’s always a joy. I’m sad we don’t cross paths nearly as much as we used to in real life. We’ll have to fix that this year for sure. How can people listen and get a hold of you if they have further questions or are interested in CyberData Pros?


Chris Arrendale (41:22):

Awesome. Thank you so much for having me today. It’s always great to chat with you. The easiest way to get in touch with me is by email, it is [email protected]. The website is cyberdatapros.com and, of course, LinkedIn, just type in Chris Arrendale. You can find me there.


Matthew Vernhout (41:41):

We’ll put all those links in the show notes, Chris. Once again, thanks very much, and great chatting with you.


Chris Arrendale (41:49):

Thank you. We’ll talk soon.


Outro (41:05):

You’ve been listening to the ‘For The Love of Emails’ podcast, powered by Netcore. Hit subscribe in your favorite podcast player to make sure you never miss an episode. To learn more about effective email communications and engagement through AI-powered email solutions, visit netcorecloud.com. The only global email engagement leader delivering marketing ROI and value to 25+ global unicorns and 6,500+ brands for over two decades.

Unlock unmatched customer experiences,
get started now
Let us show you what's possible with Netcore.